XP keeps upping to 239.255.255.250 port 1900

[Zoinks]

Windows XP is constantly sending data to 239.255.255.250 port 1900 - Does anyone know what it is sending and to where?

This is all that I've been able to find on this:

http://archive.aimsecurity.net/mailing-list/VULN-DEV/archive/2001/May/0042.html
http://www.nthelp.com/upnpscrewup.htm

 

[Zoinks]

Oh, one other thing: If I use Zone Alarm to block "Generic Host Process for Win32 Service" my internet freezes up. However, Zone Alarm doesn't allow me to just block that one IP.

 

[LordFortius]

Why'd you have to bring that up? I was happily using XP, and liking it, and now you've aroused big brother suspicians.... jeeeeeeeeez

 

[Noriaki]

The beta has call home features so that MS knows who has it, because the beta is not suppose to be widely available.

I'm fairly sure that the final version won't have that.

 

[LordFortius]

I don't really like the idea of XP calling home, even if I got it legitimately.... Is there a way to stop it from doing this?

 

[Noriaki]

Well...I had a beta a few months ago...and I don't have it legitametly...I had a hack to disable Activation and Call Home.

I imagine the new betas do to becuase lots of people have them that shouldn't...check around.

 

[LordFortius]

Ok- I just talked to some people on dalnet, and they said that XP only calls microsoft during installation, so as long as you disconnected your ethernet during installation, it shouldn't have called home. I don't know why your computer keeps calling 239.255.255.250. I just ran a check on that IP address, and its located at the University of Sourthern California (Not Redmond, Washington at least)- perhaps you have a trojan horse of some kind? I remember that when all those DOS attacks were occuring a while back, the pawn computers were all directed by computers at universities in California.... lol. Maybe you should check your computer for viruses?

 

[Condor Beedee]

I have checked mine for a virus, and it does the same thing. Not sure why. The link at the top says it is for printer services to determine whether or not a new device has come online, but I'm suspicious.

 

[Noriaki]

Hmmmm....U of SC sounds familar...I'm sure that the Betas constantly contact a central location to file bug reports and stuff like that....

The final version will only be during install...but I'm sure the beta is constant...I could be wrong though....

 

[LordFortius]

But why in the WORLD would they do it at the USC?

 

[Noriaki]

I have no idea...but it rings a bell for some reason...

 

[Zoinks]

I found some more info here:
http://www.chipcenter.com/eexpert/gdorman/gdorman035.html

Not much, but it does confirm that the IP is owned by USC.



<< The protocol being used is UDP, and the system attempts to access a Web site with the address 239.255.255.250 via port 1900. Both explorer.exe (outbound) and ssdpsrv.exe (inbound) are involved in this access. I would not mind, except neither Microsoft nor Gateway have informed me of this situation, and it is a possible security issue. The protocol is known as Simple Service Discovery Protocol, and it is primarily used for detection and installation of UPnP devices on the fly. Using spamcop's excellent host tracking service, I discovered that the IP belongs to www.ep.net. Using the arin whois database, I found that the IP is registered with the University of Southern California as m-cast.net. They &quot;own&quot; IPs 224.0.0.0?239.255.255.255 >>



[Clickified]

 

[Zoinks]

This seems to explain what its about. At least it seems like it might if I actually understood any of it:

http://www.upnp.org/download/UPnPDA10_20000613.htm

[Clickified]

 

[Zoinks]

More highly technical info:

Matt, For the past week or so a once quiet segment of a broadband net has become clogged with thousands of frames of a recurring pattern. Host IPs (where DNS resolves to client addresses, not AT&amp;T routers) are sending groups of 4 frames, then it's repeated by another non-sequential host. Each pattern starts w/ an IGMP membership report and is followed by 3 UDP frames to dst port 1900. Each host trace routes as only one hop away (on my rr node) but TTL is 1 (expired), meaning they left the source w/ abnormally low TTLs. All are to dst IP 239.255.255.250.

Interspersed w/ the groups of 4 are many repeated &quot;IGMP: Type 6, Ver2 Membership Report&quot; frames from class A addresses like 4.0.0.3 and 5.0.0.4 (sample below) but these have dst 227.37.32.1.

I cannot find references to the 239.255.255.250 in the multicast block of iana.org or RFC1700, and I don't know what UDP 1900 is for.

At this point my log is filled with >100MB of this stuff and I've stopped collecting. Wasn't on the segment 2 weeks ago; now it's constant. ASCII break of the hex dumps looks like a discovery tool -- either intentional or seriously mal-configured. Phone call to AT&amp;T resulted is a sincere &quot;wow, that's a lot of traffic. I don't know what it is either but will check it out.&quot; It was not a known RoadRunner net management tool.

Collateral effects from some system (&quot;Man:ssdp&quot; = *nix ?) on a discovery binge? Spoofed IPs from some other mapping tool? Major malformed setup of something...but lack of consistent source IP (and 1+3 groups) doesn't really sound like a simple misconfig of a home Linux/Linux router system. Any ideas? Bob Hillery

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - -
Frame Source Address Dest. Address Size Rel. Time Delta Time
Abs. Time Summary
1 [24.147.173.104] [239.255.255.250] 60 000:00:00.000 0.000.000
01/28/2001 06:43:53 AM IGMP: Type 6, Ver2 Membership Report
ADDR HEX ASCII
0000: 01 00 5e ff ff fa 00 20 78 c5 b3 74 08 00 46 00 | ..^.... x&Aring;.t..F.
0010: 00 20 00 19 00 00 01 02 6e c9 18 93 ad 68 ef ff | . ......n&Eacute;...h&iuml;.
0020: ff fa 94 04 00 00 16 00 fa 04 ef ff ff fa 00 00 | ..........&iuml;.....
0030: 00 00 00 00 00 00 00 00 00 00 00 00 | ............

- - - - - - - - - - - - - - - - - - - - Frame 2 - - - - - - - - - - - - -
Frame Source Address Dest. Address Size Rel. Time Delta Time
Abs. Time Summary
2 [24.147.173.104] [239.255.255.250] 132 000:00:08.899 8.899.056
01/28/2001 06:44:02 AM Expert: Time-to-live expiring

UDP: D=1900 S=1025 LEN=98
ADDR HEX ASCII
0000: 01 00 5e ff ff fa 00 20 78 c5 b3 74 08 00 45 00 | ..^.... x&Aring;.t..E.
0010: 00 76 00 24 00 00 01 11 03 5e 18 93 ad 68 ef ff | .v.$.....^...h&iuml;.
0020: ff fa 04 01 07 6c 00 62 cd 5f 4d 2d 53 45 41 52 | .....l.b&Iacute;_M-SEAR
0030: 43 48 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48 | CH * HTTP/1.1..H
0040: 6f 73 74 3a 32 33 39 2e 32 35 35 2e 32 35 35 2e | ost:239.255.255.
0050: 32 35 30 0d 0a 53 54 3a 75 70 6e 70 3a 72 6f 6f | 250..ST:upnp:roo
0060: 74 64 65 76 69 63 65 0d 0a 4d 61 6e 3a 73 73 64 | tdevice..Man:ssd
0070: 70 3a 64 69 73 63 6f 76 65 72 0d 0a 4d 58 3a 33 | piscover..MX:3
0080: 0d 0a 0d 0a | ....

- - - - - - - - - - - - - - - - - - - - Frame 3 - - - - - - - - - - - - -
Frame Source Address Dest. Address Size Rel. Time Delta Time
Abs. Time Summary
3 [24.147.173.104] [239.255.255.250] 132 000:00:12.024 3.125.080
01/28/2001 06:44:05 AM Expert: Time-to-live expiring

UDP: D=1900 S=1025 LEN=98
ADDR HEX ASCII
0000: 01 00 5e ff ff fa 00 20 78 c5 b3 74 08 00 45 00 | ..^.... x&Aring;.t..E.
0010: 00 76 00 31 00 00 01 11 03 51 18 93 ad 68 ef ff | .v.1.....Q...h&iuml;.
0020: ff fa 04 01 07 6c 00 62 cd 5f 4d 2d 53 45 41 52 | .....l.b&Iacute;_M-SEAR
0030: 43 48 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48 | CH * HTTP/1.1..H
0040: 6f 73 74 3a 32 33 39 2e 32 35 35 2e 32 35 35 2e | ost:239.255.255.
0050: 32 35 30 0d 0a 53 54 3a 75 70 6e 70 3a 72 6f 6f | 250..ST:upnp:roo
0060: 74 64 65 76 69 63 65 0d 0a 4d 61 6e 3a 73 73 64 | tdevice..Man:ssd
0070: 70 3a 64 69 73 63 6f 76 65 72 0d 0a 4d 58 3a 33 | piscover..MX:3
0080: 0d 0a 0d 0a | ....


(Matt Fearnow)
Bob, Well, here is my first stab, without checking on a few things. First IGMP's default ttl is set to 1 unless specifically specified. I know that much. I am not sure on the multicast address, nor the UDP 1900.

Source: http://www.sans.org/y2k/021201.htm

 

[Abzstrak]

hmm... sounds like a bot. Packet'ing someone...

 

[Zoinks]

This is what res-ip@iana.org (Internet Corporation for Assigned Names and Numbers (IANA-ARIN)), the coordinator for that IP address had to say:



<< IP addresses in the range 224.0.0.0-240.0.0.0 are reserved for use by
IP multicast services on the Internet. Various addresses in this
range are used by routers and others are used by systems that have
multicast IP enabled. If you see these addresses on your network, the
most likely causes are systems or network devices within your own
network that are using IP multicast.

These addresses are available for any host that wants to
participate in multicast, and typically are assigned dynamically.
The source address should not be multicast (without prior
agreement). The destination address may be multicast. Values
are/should be registered in mcast.net.

IP multicasting is the networking technology that enables the delivery
of real-time multimedia while saving network bandwidth. Most of the
widely-used traditional Internet applications, such as web browsers
and email, 'unicast' between one sender and one receiver. In many
emerging applications, such as live transmission of multimedia
training and university courses one sender will 'multicast' to a group
of receivers simultaneously. Only the ones who are 'subscribing' to
the multicast data will receive it, thus reducing network traffic and
using available bandwidth economically.

Standards for assigning multicast addresses are still being developed.

This kind of IP address can only be used as a destination address. Even as a
destination address, unless you are on a network that is actively involved
in the development of the system for assigning IP addresses, it was probably
spoofed (faked). If a multicast address shows up in an alert as a source
address, it was almost certainly spoofed. A group of computers can't send a
data packet across a network.

Technical background information can be found in RFC 1112 at
<ftp://ftp.isi.edu/in-notes/rfc1112.txt>.

Please contact your ISP provider with this information as well as with
your concerns.

Best regards,
IANA >>



This still doesn't clear up anything for me.

 

[LordFortius]

Ahhh yes. The plot thickens. Well, I think we can at least be sure that its not something built into XP by microsoft. I still think it's some kind of program on your computer.

But then again, maybe the ICF built into XP has something to do with this?